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Abstract. When dealing with process calcuh and automata which ex- 
press both nondeterministic and probabiUstic behavior, it is customary 
to introduce the notion of scheduler to solve the nondeterminism. It 
has been observed that for certain applications, notably those in secu- 
rity, the scheduler needs to be restricted so not to reveal the outcome 
of the protocol's random choices, or otherwise the model of adversary 
would be too strong even for "obviously correct" protocols. We propose 
a process-algebraic framework in which the control on the scheduler can 
be specified in syntactic terms, and we show how to apply it to solve the 
problem mentioned above. We also consider the definition of (probabilis- 
tic) may and must preorders, and we show that they are precongruences 
with respect to the restricted schedulers. Furthermore, we show that all 
the operators of the language, except replication, distribute over proba- 
bilistic summation, which is a useful property for verification. 



1 Introduction 

Security protocols, in particular those for for anonymity and fair exchange, often 
use randomization to achieve their targets. Since they usually involve more than 
one agent, they also give rise to concurrent and interactive activities that can be 
best modeled by nondeterminism. Thus it is convenient to specify them using 
a formalism which is able to represent both probabilistic and nondeterministic 
behavior. Formalisms of this kind have been explored in both Automata Theory 
|ll2l3l4l5j and in Process Algebra [6171819110111] . See also |12I13| for comparative 
and more inclusive overviews. 

Due to the presence of nondeterminism, in such formalisms it is not possible 
to define the probability of events in absolute terms. We need first to decide 
how each nondeterministic choice during the execution will be solved. This de- 
cision function is called scheduler. Once the scheduler is fixed, the behavior of 
the system (relatively to the given scheduler) becomes fully probabilistic and a 
probability measure can be defined following standard techniques. 

It has been observed by several researchers that in security the notion of 
scheduler needs to be restricted, or otherwise any secret choice of the protocol 
could be revealed by making the choice of the scheduler depend on it. This issue 
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was for instance one of the main topics of discussion at the panel of CSFW 2006. 
We illustrate it here with an example on anonymity. We use the standard CCS 
notation, plus a construct of probabilistic choice P +pQ representing a process 
that evolves into P with probability p and into Q with probability 1 — p. 

The following system Sys consists of one receiver R and two senders S, T 
which communicate via private channels a, b respectively. Which of the two 
senders is successful is decided probabilistically by R. After reception, R sends 
a signal ok. 

R = a.'^.O +0.5 ft.'^.O 5 = o.O T = 6.0 Sys = {ija){ijh){R \ S \ T) 

The signal ok is not private, but since it is the same in both cases, in principle 
an external observer should not be able to infer from it the identity of the sender 
{S or T). So the system should be anonymous. However, consider a team of two 
attackers A and B defined as 



and consider the parallel composition Sys | ^ | S. We have that, under certain 
schedulers, the system is no longer anonymous. More precisely, a scheduler could 
leak the identity of the sender via the channels s, t by forcing R to synchronize 
with A on ok if R has chosen the first alternative, and with B otherwise. This 
is because in general a scheduler can see the whole history of the computation, 
in particular the random choices, even those which are supposed to be private. 
Note that the visibility of the synchronization channels to the scheduler is not 
crucial for this example: we would have the same problem, for instance, if S, T 
were both defined as a.O, R as a.ofc.O, and Sys as {va){{R +0.5 S) \ T). 

The above example demonstrates that, with the standard definition of sched- 
uler, it is not possible to represent a truly private random choice (or a truly 
private nondeterministic choice, for the matter) with the current probabilistic 
process calciili. This is a clear shortcoming wlicni wc want to use these formalisms 
for the specification and verification of security protocols. 

There is another issue related to verification: a private choice has certain 
algebraic properties that would be useful in proving equivalences between pro- 
cesses. In fact, if the outcome of a choice remains private, then it should not 
matter at which point of the execution the process makes such choice, until it 
actually uses it. Consider for instance A and B defined as follows 



Process A receives a value and then decides randomly whether it will accept the 
value or 1. Process B does exactly the same thing except that the choice is 
performed before the reception of the value. If the random choices in A and B are 
private, intuitively we should have that A and B are equivalent [Ak, B). This is 
because it should not matter whether the choice is done before or after receiving 
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Fig. 1. Execution trees for A | C and B \ C 



a message, as long as the outcome of the choice is completely invisible to any 
other process or observer. However, consider the parallel context C = aO | al. 
Under any scheduler A has probability at most 1/2 to perform ok. With S, 
on the other hand, the scheduler can choose between aO and al based on the 
outcome of the probabilistic choice, thus making the maximum probability of ok 
equal to 1. The execution trees of ^ | C and B \ C are shown in Figure [1] 
In general when +p represents a private choice we would like to have 

C[P +p Q] « C[t.P] +p C[t.Q] (1) 

for all processes P, Q and all contexts C not containing replication ( or recursion). 
In the case of replication the above cannot hold since \{P +p Q) makes available 
each time the choice between P and Q, while (!t.P) +p (!t.(5) chooses once and 
for all which of the two [P or Q) should be replicated. Similarly for recursion. 
The reason why we need a r is explained in Section [51 

The algebraic property ([1]) expresses in an abstract way the privacy of the 
probabilistic choice. Moreover, this property is also useful for the verification of 
security properties. The interested reader can find in [T3] an example of appli- 
cation to a fair exchange protocol. In principle ([1]) should be useful for any kind 
of verification in the process algebra style. 

We propose a process-algebraic approach to the problem of hiding the out- 
come of random choices. Our framework is based on a calculus obtained by 
adding to CCS an internal probabilistic choice construclQ. This calculus, to which 
we refer as CCSp, is a variant of the one studied in [TT], the main differences be- 
ing that we use replication instead than recursion, and we lift some restrictions 
that were imposed in [11 to obtain a complete axiomatization. The semantics 
of CCSp is given in terms of Segala's simple probabilistic automata [417] . 

In order to limit the power of the scheduler, we extend CCSp with terms rep- 
resenting explicitly the notion of scheduler. The latter interact with the original 
processes via a labeling system. This will allow to specify at the syntactic level 
(by a suitable labeling) which choices should be visible to schedulers, and which 
ones should not. 

^ We actually consider a variant of CCS where recursion is replaced by replication. The 
two languages are not equivalent, but we believe that the issues regarding the dif- 
ferences between replication and recursion are orthogonal to the topics investigated 
in this paper. 
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1.1 Contribution 

The main contributions of this paper are: 

— A process calculus CCSo- in which the scheduler is represented as a process, 
and whose power can therefore be controlled at the syntactic level. 

— An application of CCSo- to an extended anonymity example (the Dining 
Cryptographers Protocol, DCP). We also briefly outline how to extend CCSo- 
so to allow the definition of private nondeterministic choice, and we apply it 
to the DCP with nondeterministic master. To our knowledge this is the first 
formal treatment of the scheduling problem in DCP and the first formaliza- 
tion of a nondeterministic master for the (probabilistic) DCP. 

— The adaptation of the standard notions of probabilistic testing preorders to 
CCScr, and the "sanity check" that they are still precongruences with respect 
to all the operators except the nondeterministic sum. For the latter we have 
the problem that P and t.P are must equivalent, but Q + P and Q -\- t.P 
are not. This is typical for the CCS +: usually it does not preserve weak 
equivalences. 

— The proof that, under suitable conditions on the labelings of C, t.P and 
T.Q, CCSo- satisfies the property expressed by H]), where « is probabilistic 
testing equivalence. 

1.2 Related work 

The works that are most closely related to ours are |17ll8j . In those paper the 
authors consider probabilistic automata and introduce a restriction on the sched- 
uler to the purpose of making them suitable to applications in security protocols. 
Their approach is based on dividing the actions of each component of the sys- 
tem in equivalence classes (tasks). The order of execution of different tasks is 
decided in advance by a so-called task scheduler. The remaining nondeterminism 
within a task is solved by a second scheduler, which models the standard adver- 
sarial scheduler of the cryptographic community. This second entity has limited 
knowledge about the other components: it sees only the information that they 
communicate during execution. 

In contrast to the above approach, our definition of scheduler is based on 
a labeling system, and the same action can receive different labels during the 
execution, so our "equivalence classes" (schedulable actions with the same la- 
bel) can change dynamically. However we don't know at the moment whether 
this difference determines a separation in the expressive power. The main differ- 
ence, anyway, is that our framework is process-algebraic and we focus on testing 
preorders, their congruence properties, and the conditions under which certain 
equivalences hold. 

Another work along these lines is , which uses partitions on the state-space 
to obtain partial-information schedulers. However in that paper the authors con- 
sider a synchronous parallel composition, so the setting is rather different. 
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1.3 Plan of the paper 

In the next section we briefly recall some basic notions. In Section [3] we define 
a preliminary version of the language CCSo- and of the corresponding notion of 
scheduler. In Section 3] we compare our notion of scheduler with the more stan- 
dard "semantic" notion, and we improve the definition of CCSo- so to retrieve the 
full expressive power of the semantic schedulers. In Section Owe study the prob- 
abilistic testing preorders, their compositionality properties, and the conditions 
under which ^ holds. Section [S] presents an application to security. Section [7] 
concludes. 

2 Preliminaries 

In this section we briefiy recall some preliminary notions about the simple prob- 
abilistic automata and CCSp. 

2.1 Simple probabilistic automata [4117] 

A discrete probability measure over a set X is a function : 2^ i— > [0, 1] such that 
= 1 and ^{UiXi) — ^ ■ iJ,{Xi) where Xi is a countable family of pairwise 
disjoint subsets of X. The set of all discrete probability measures over X will be 
denoted by Disc{X). We will denote by 6{x),x G X (called the Dirac measure 
on x) the probability measure that assigns probability 1 to {x}. We will also 
denote by X^ibil/^i the probability measure obtained as a convex sum of the 
measures /i^. 

A simple probabilistic automator^ is a tuple {S, q, A, T>) where S* is a set of 
states, q € S is the initial state, A is a set of actions and T> C S x Ax Disc{S) is a 
transition relation. Intuitively, if (s, a, /u) £ P then there is a transition from the 
state s performing the action a and leading to a distribution fi over the states 
of the automaton. The idea is that the choice of transition among the available 
ones in V is performed nondeterministically, and the choice of the target state 
among the ones allowed by fi (i.e. those states q such that fi{q) > 0) is performed 
probabilistically. 

A probabilistic automaton AI is fully probabilistic if from each state of M 
there is at most one transition available. An execution a of a probabilistic au- 
tomaton is a (possibly infinite) sequence soaiSia2S2 ... of alternating states and 
actions, such that q — sq, and for each i {si,ai+i, fii) £ V and /ii(si+i) > 
hold. We will use lstate{a) to denote the last state of a finite execution a, and 
exec* (M) and exec{M) to represent the set of all the finite and of all the exe- 
cutions of M, respectively. 

A scheduler of a probabilistic automaton M = {S, q, A, V) is a function 

C : exec*{M) ^ V 

^ For simplicity in the following we will refer to a simple probabilistic automaton 
as probabilistic automaton. Note however that simple probabilistic automata are a 
subset of the probabilistic automata defined in |4I5] . 
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ACT s RES , 

a.P 5{P) (pa)P ^ {ua)fi 



SUMl ^ PARI ^ "7" ^ 



COM P^^(P') Q^^(Q') pj^oB 



p I g ^ 5(p' I Q') p.^'. E. b.]5(J'0 
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BANGl ^J^^ BANG2 P ^^A) P SjR. 

!P ^ /i I !P !P ^ 5(Pi 1 P2 I !P) 

Fig. 2. The semantics of CCSp. SUMl and PARI have corresponding right rules 
SUM2 and PAR2, omitted for simplicity. 



such that C(ck) — G V implies that s — lstate{a). The idea is that a 

scheduler selects a transition among the ones available in V and it can base 
his decision on the history of the execution. The execution tree of M relative 
to the scheduler (, denoted by etree{M,Q, is a fully probabilistic automaton 
M' = (5", g', A', V) such that S' C exec{M), q' = q, A' = A, and (a, a, n') G V 
if and only if C,{a) = {lstate{a),a, n) for some /i and /^'(aas) = /i(s). Intu- 
itively, etree{M, C) is produced by unfolding the executions of M and resolving 
all deterministic choices using C^. Note that etree{M, C) is a simple^ and fully 
probabilistic automaton. 



2.2 CCS with internal probabilistic choice 



Let a range over a countable set of channel names. The syntax of CCSp is the 
following: 

a ::= a \ a \ t prefixes 

P,Q::~ processes 

a.P prefix 

P I Q parallel 

P + Q nondeterministic choice 

X)i PiPi internal probabilistic choice 

{ua)P restriction 

\P replication 

nil 



We will also use the notation Pi 
Pi = p and p2 = 1 — p- 



-p P2 to represent a binary sum PiPi with 



^ This is true because we do not consider probabilistic schedulers. If we considered 
such schedulers then the execution tree would no longer be a simple automaton. 



6 



The semantics of a CCSp term is a probabilistic automaton defined induc- 
tively on the basis of the syntax according to the rules in Figure [21 We write 
s — > /i when (s, a, /i) is a transition of the probabilistic automaton. We also 
denote hy fi \ Q the measure jj.' such that IJ,'{P \ Q) — m(^) for all processes 
P and fJ,'{R) = if i? is not of the form P \ Q. Similarly {va)ii = ji' such that 
ix'{{va)P)=ti{P). 

A transition of the form P — > 5{P'), i.e. a transition having for target a 
Dirac measure, corresponds to a transition of a non-probabilistic automaton (a 
standard labeled transition system). Thus, all the rules of CCSp imitate the ones 
of CCS except from PROB. The latter models the internal probabilistic choice: 
a silent r transition is available from the sum to a measure containing all of its 
operands, with the corresponding probabilities. 

Note that in the produced probabilistic automaton, all transitions to non- 
Dirac measures are silent. This is similar to the alternating model \2 , however 
our case is more general because the silent and non-silent transitions are not 
necessarily alternated. On the other hand, with respect to to the simple proba- 
bilistic automata the fact that the probabilistic transitions are silent looks as a 
restriction. However, it has been proved by Bandini and Segala [7] that the sim- 
ple probabilistic automata and the alternating model are essentially equivalent, 
so, being in the middle, our model is equivalent as well. 

3 A variant of CCS with explicit scheduler 

In this section we present a variant of CCS in which the scheduler is explicit, in 
the sense that it has a specific syntax and its behavior is defined by the oper- 
ational semantics of the calculus. We will refer to this calculus as CCScr. Pro- 
cesses in CCScr contain labels that allow us to refer to a particular sub-process. 
A scheduler also behaves like a process, using however a different and much 
simpler syntax, and its purpose is to guide the execution of the main process 
using the labels that the latter provides. A complete process is a process running 
in parallel with a scheduler, and we will formally describe their interaction by 
defining an operational semantics for complete processes. 

We will present CCSo- in an incremental way. First we define the basic calculus 
CCSo- which is the same as CCSp with the addition of the explicit scheduler. 
Then we will perform an extensions of this basic calculus by adding choice to the 
scheduler so to achieve its full expressive power. Finally, in SectionlHl we outline 
an extension of CCS(j with a second independent scheduler, to the purpose of 
making private certain nondeterministic choices. 

3.1 Syntax 

Let a range over a countable set of channel names and I over a countable set of 
atomic labels. The syntax of CCSo-, shown in Figure [31 is the same as the one of 
CCSp except for the presence of labels. These are used to select the subprocess 
which "performs" a transition. Since only the operators with an initial rule can 
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I ::= Q I I IJ I e label indexes S,T ::= scheduler 

L ::— labels a{L).S schedule single action 

I a{L,L).S synchronization 
P,Q :■- processes | ^ ^.^ 

L:a.P prefix 

P I Q parallel CP ::— P \\ S complete process 

P + Q nondeterministic choice 

I Pi Pi internal prob. choice 

(va^P restriction 

\P replication 

nil 

Fig. 3. The syntax of the core CCS^ 



originate a transition, we only need to assign labels to the prefix and to the 
probabilistic sum. We use labels of the form P where I is an atomic label and 
the index s is a finite string of and 1, possibly emptjQ- Indexes are used to avoid 
multiple copies of the same label in case of replication, which occurs dynamically 
due to the the bang operator. As explained in the semantics, each time a process 
is replicated we relabel it using appropriate indexes. 

A scheduler selects a sub-process for execution on the basis of its label, so 
we use a{l).S to represent a scheduler that selects the process with label / and 
continues as S. In the case of synchronization we need to select two processes si- 
multaneously, hence we need a scheduler the form cr(Zi, l2)-S. A complete process 
is a process put in parallel with a scheduler, for example li:a.l2'.b \\ a{li).a{l2)- 
Note that for processes with an infinite execution path we need schedulers of 
infinite length. 



3.2 Semantics 

The operational semantics of the CCScr-calculus is given in terms of probabilistic 
automata defined inductively on the basis of the syntax, according to the rules 
shown in Figure HI 

ACT is the basic communication rule. In order for l:a.P to perform a, the 
scheduler should select this process for execution, so the scheduler needs to be of 
the form a{l).S. After the execution the complete process will continue as P \\ S. 
The RES rule models restriction on channel a: communication on this channel 
is not allowed by the restricted process. Similarly to the section [2?2l we denote 
by {ua)fjL the measure /i' such that ^'{{va)P \\ S) = fj,{P \\ S) for all processes P 
and II S) = if i? is not of the form {va)P. SUMl models nondeterministic 
choice. If P II S can perform a transition to /i, which means that S selects one of 
the labels of P, then P + Q \\ S will perform the same transition, i.e. the branch 

* For simplicity we will write I for 
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ACT RES -P II ■5' — > M Q / g, g 

l:a.P II a{l).S ^ 5{P \\ S) {ua)P \\ S ^ {va)fi 



SUMl ^ II ^ PARI ^ll^f'^ 

P + QWS-^fi P\Q\\S ^ nlQ 

COM P|k(/i)^g(P'|[0) Q\\a{l2)^S{Q' \\0) 
P\Q\\a{h,h).S -^S{P' \ Q' II 5-) 

BANGl f 11 g > M PROB 



!P II S ^ Po(m) I PiClJ') «:E.P.P'. II '^il)-S ^ [P.]'5(P'. II s) 

BANG2 P II ^{h) ^ S{P^ II 0) P II ^ ^(P2 II 0) 
\P II a(/i,Z2).5 ^ 5(po(Pi) I Pio(P2) i Pii(!P) II S) 

Fig. 4. The semantics of CCSo-. SUMl and PARI have corresponding right rules 
SUM2 and PAR2, omitted for simphcity. 



P of the choice wiU be selected and Q will be discarded. For example 

h-.a.P + h-.b.Q II cj{h).S ^ S{P II S) 

Note that the operands of the sum do not have labels, the labels belong to the 
subprocesses of P and Q. In the case of nested choices, the scheduler must go 
deep and select the label of a prefix, thus resolving all the choices at once. 

PARI has a similar behavior for parallel composition. The scheduler selects 
P to perform a transition on the basis of the label. The difference is that in 
this case Q is not discarded; it remains in the continuation, fj, \ Q denotes the 
measure /x' such that ^'{P | Q || 5) = ^{P \\ S). COM models synchronization. 
If P II a{li) can perform the action a and Q \\ cr(^2) can perform a, then (t(Zi, h), 
scheduling both li and I2 at the same time, can synchronize the two. PROB 
models internal probabilistic choice. Note that the scheduler cannot affect the 
outcome of the choice, it can only schedule the choice as a whole (that's why a 
probabilistic sum has a label) and the process will move to a measure containing 
all the operands with corresponding probabilities. 

Finally, BANGl and BANG2 model replication. The rules are the same as in 
CCSp, with the addition of a re-labehng operator pk- The reason for this is that 
we want to avoid ending up with multiple copies of the same label as the result 
of replication, since this would create ambiguities in scheduling as explained in 
section [331 Pk{P) replaces all labels l'^ inside P with l^'', and it is defined as 

Pk{l':a.P) = l''':a.pk{P) 

and homomorphically on the other operators (for instance Pk{P \ Q) = Pk{P) \ 
pk{Q))- We also denote by pkiy) the measure p' such that p'{pk{P) \\ S) = 
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IJ.{P II S). Note that we relabel only the resulting process, not the continuation 
of the scheduler: there is no need for relabeling the scheduler since we are free 
to choose the continuation as we please. 

Let us give an example of how BANGl and relabeling work. Let P = l\:a.l2'-b. 
To prove a transition for !P || (j{li).S we have to prove it for P and then relabel 
the resulting process: 

ACT 

h-.a.h-h II a{h).S Sih-.b S) 

BANGl ^ — ^ — 

\{h:a.l2:h) \\ a{h).S <5(/^:6 j \{l\:a.ll:h) \\ S) 

As we can see in the example, when a process ! P is activated, the spawned copy 
of P is relabeled by adding to the index of all the labels, and !P is relabeled 
by adding 1. So the labels of po{P) and pi{\P) will be disjoint. As remarked 
above, the continuation S is not relabeled, if we want to perform b after a then 
S should start with cr(Z2)- 



3.3 Deterministic labelings 

The idea in CCS^ is that a syntactic scheduler will be able to completely solve the 
nondeterminism of the process, without needing to rely on a semantic scheduler 
at the level of the automaton. This means that the execution of a process in 
parallel with a scheduler should be fully probabilistic. To achieve this we will 
impose a condition on the labels that we can use in CCSo- processes. A labeling 
is an assignment of labels to the prefixes and probabilistic sums of a process. We 
will require all labelings to be deterministic in the following sense. 

Definition 1. A labeling of a process P is deterministic iff for all schedulers S 
there is only one transition rule -P jj ^ n that can be applied and the labelings 
of all processes P' such that n{P') > are also deterministic. 

A labeling is linear iff all labels are pairwise disjoint. We can show that linear 
labelings are preserved by transitions, which leads to the following proposition. 

Proposition 1. A linear labeling is deterministic. 

There arc labelings that arc deterministic without being linear. In fact, such 
labelings will be the means by which we hide information from the scheduler. 
However, the property of being deterministic is crucial since it implies that the 
scheduler will resolve all the nondeterminism of the process. 

Proposition 2. Let P be a CCS^ process with a deterministic labeling. Then 
for all schedulers S, the automaton produced by P \\ S is fully probabilistic. 



4 Expressiveness of the syntactic scheduler 

CCS(7 with deterministic labelings allows us to separate probabilities from non- 
determinism in a straightforward way: a process in parallel with a scheduler 
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behaves in a fully probabilistic way and the nondetcrminism arises from the fact 
that we can have many different schedulers. We may now ask the question: how 
powerful are the syntactic schedulers wrt the semantic ones, i.e. those defined 
directly over the automaton? 

Let P be as CCSp process and Per be the CCSo- process obtained from P 
by applying a linear labeling. We say that the semantic scheduler C of P is 
equivalent to the syntactic scheduler 5 of Per, written C ~p 5', iff the automatsll 
etree{P, () and P^ \\ S are probabilistically bisimilar in the sense of [5]. 

A scheduler S is non-blocking for a process P if it always schedules some 
transitions, except when P itself is blocked. Since semantic schedulers are usu- 
ally not allowed to block, we will restraint ourselves to non-blocking syntactic 
schedulers to obtain a 1 — 1 correspondence. Let Sem{P) be the set of the se- 
mantic schedulers for the process P, and Syn{Pa) be the set of the non-blocking 
syntactic schedulers for process Po-. The following result holds for pure CCS 
processes (that is, CCSp processes without probabilistic choice). 

Proposition 3. Let P be a pure CCS process and let P^ be a CCSa process 
obtained by adding a linear labeling to P. Then 

VC e Sem{P) 3S G Syn{P„) : C S and 
yS G Syn{P^) 3C G Sem{P) : C S 



4.1 The scheduler in the presence of probabiUstic choice 

In Proposition [3] we considered pure CCS processes in which the execution tree 
has only one possible execution. Now consider a process P containing an internal 
probabilistic choice. Even if we fix the scheduler, the outcome of the choice is not 
always the same, so P || could produce different executions. As a consequence, 
the syntactic schedulers we have defined are not enough to give us back all the 
semantic ones. Consider the process P = l:{li:a+pl2-b). After the probabihstic 
choice, either li : a or I2 '■ b will be available, but we cannot know which one. 
As a consequence, we cannot create a scheduler that selects a or 6, whatever is 
available. In fact, it's not even possible to create a non-blocking scheduler at all, 
both (j{l).a{li) and a{l).a{l2) will block on some executions. 

The problem here is that the process can make choices that are independent 
from the scheduler, so the latter should adapt its behavior to the outcome of 
these choices. To achieve this, we extend CCSg- by adding a scheduler choice 
construct. The new syntax and semantics are displayed in Figure O A scheduler 
can be the sum ^ ■ Si of several schedulers, and the outcome of the probabilistic 
choice (in the process) will determine the one to activate. In the case where more 
than one could be activated at the same time, we give preference to the first one 
in the sum, so the scheduler still behaves in a deterministic way. 

^ Note that with a slight abuse of notation we will use a process to denote its corre- 
sponding probabilistic automaton. 
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Fig. 5. Adding scheduler choice to CCScr 



In our previous example, we can use the scheduler a{l){a{li) + (j{l2)) which 
will produce a or 6 depending on the outcome of the probabilistic choice. With 
the scheduler choice, we can retrieve the full power of the semantic scheduler for 
full CCSp processes. 

Proposition 4. Proposition\3l holds for full CCSp processes if we extend sched- 
ulers with scheduler choice. 

4.2 Using non-linear labelings 

Up to now we are using only linear labelings which, as we saw, give us the whole 
power of semantic schedulers. However, we can construct non-linear labelings 
that are still deterministic, that is there is still only one transition possible at 
any time even though we have multiple occurrences of the same label. There are 
various cases of useful non-linear labelings. 

Proposition 5. Let P,Q be CCSa processes with deterministic labelings (not 
necessarily disjoint). The following labelings are all deterministic: 



Consider the case where P and Q in the above proposition share the same 
labels. In ([2]) the scheduler cannot select an action inside P, Q, it must select 
the choice itself. After the choice, only one of P, Q will be available so there 
will be no ambiguity in selecting transitions. The case ([3]) is similar but with 
nondeterministic choice. Now the guarding prefixes must have different labels, 
since the scheduler should be able to resolve the choice, however after the choice 
only one of P, Q will be available. Hence, again, the multiple copies of the labels 
do not constitute a problem. In ([4]) we allow the same label on the guarding 
prefixes of a nondeterministic choice. This is because the guarding channels a, b 
are restricted and only one of the corresponding output actions is available (a). 
As a consequence, there is no ambiguity in selecting transitions. A scheduler 
(t(/i, I2) can only perform a synchronization on a, even though li appears twice. 

However, using multiple copies of a label limits the power of the scheduler, 
since the labels provide information about the outcome of a probabilistic choice 
(and allow the scheduler to choose different strategies through the use of the 
scheduler choice). In fact, this is exactly the technique we will use to archive the 
goals described in Section [T] Consider for example the process: 



l:iP +pQ) 
h-.a.P + h-.b.Q 
{va){vb){li:a.P + h:b.Q \ h-.a) 



(2) 
(3) 

(4) 



l:{li:a +p li:a) \ h'.a.P \ h'.a.Q 



(5) 
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From Proposition[5l[2]) this labeling is deterministic. However, since both branches 
of the probabilistic sum have the same label li, the scheduler cannot resolve the 
choice between P and Q based on the outcome of the choice. There is still nonde- 
terminism: the scheduler a{l).a{li, I2) will select P and the scheduler cr(/).cr(/i, ^3) 
will select Q. However this selection will be independent from the outcome of 
the probabilistic choice. 

Note that we did not impose any direct restrictions on the schedulers, we 
still consider all possible syntactic schedulers for the process ([S]) above. How- 
ever, having the same label twice limits the power of the syntactic schedulers 
with respect to the semantic ones. This approach has the advantage that the re- 
strictions are limited to the choices with the same label. We already know that 
having pairwise different labels gives the full power of the semantic scheduler. So 
the restriction is local to the place where we, intentionally, put the same labels. 



5 Testing relations for CCSo- processes 



Testing relations [19] are a method of comparing processes by considering their 
interaction with the environment. A test is a process running in parallel with the 
one being tested and which can perform a distinguished action lj that represents 
success. Two processes are testing equivalent if they can pass the same tests. 
This idea is very useful for the analysis of security protocols, as suggested in [50], 
since a test can be seen as an adversary who interferes with a communication 
agent and declares w if an attack is successful. Then two processes are testing 
equivalent if they are vulnerable to the same attacks. 

In the probabilistic setting we take the approach of [13] which considers the 
exact probability of passing a test (in contrast to [10] which considers only the 
ability to pass a test with probability non-zero (may-testing) or one (must- 
testing)). This approach leads to the definition of two preorders ^may and 
Emust- P Emay Q mcaus that the if P can pass O then Q can also pass O 
with the same probability. P Emust Q means that if P always passes O with at 
least some probability then Q always passes O with at least the same probability. 

A labeling of a process is fresh (with respect to a set V of processes) if it is 
linear and its labels do not appear in any other process in V. A test O is a CCSo- 
process with a fresh labeling, containing the distinguished action w. Let Test-p 
denote the set of all tests with respect to V and let {v)P denote the restriction 
on all channels of P, thus allowing only r actions. We define Pui{P,S,0) to 
be the probability of the set of executions of the fully probabilistic automaton 
(z/)(P \ O) \\ S that contain lo. Note that this set can be produced as a countable 
union of disjoint cones so its probability is well-defined. 
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Definition 2. Let P, Q be CCS^ processes. We define must and may testing 
preorders as follows: 

0)) 3Sq e Syn{{v){Q \ 0)) : 
0)) 3Sp e Syn{{u){P \ O)) : 

We also define ~may,~must to be the equivalences induced by Emay, Emust 
respectively. 

A context C is a process with a hole. A preorder C is a precongruence if 
P Q Q imphes C[P] C C[Q] for aU contexts C. May and must testing are 
precongruences if we restrict to contexts with fresh labehngs and without oc- 
currences of +. This resuh is essentially an adaptation to our framework of the 
analogous precongruence property in [3J. 

Proposition 6. Let P, Q be CCSa processes such that P Qmay Q cind let C be 
a context with a fresh labeling and in which + does not occur. Then C[P] ^may 
C[Q]. Similarly for Emiist- 

This also implies that ~may, ~must are congruences. Note that P, Q in the above 
proposition are not required to have linear labelings, P might include multiple 
occurrences of the same label thus limiting the power of the schedulers Sp. This 
shows the locality of the scheduler's restriction: some choices inside P are hidden 
from the scheduler but the rest of the context is fully visible. 

If we remove the freshness condition then Proposition[S]is no longer true. Let 
P = li:a.l2.b, Q = l^-.a.Uib and C — l:{li:a.l2.c+p []). We have P «may Q 
but C[P], C[Q] can be separated by the test O = d.b.uj \ a.c.oj (The labeling is 
omitted for simplicity since tests always have fresh labelings.) It is easy to see 
that C{Q] can pass the test with probability 1 by selecting the correct branch of 
O based on the outcome of the probabilistic choice. In C[P] this is not possible 
because of the labels Zi, I2 that are common in P, C. 

We can now state the result that we announced in Section [TJ 

Theorem 1. Let P,Q be CCSa processes and C a context with a fresh labeling 
and without occurrences of bang. Then 

l:{C[h:T.P]+pC[h:T.Q]) ^may C[l:{P+pQ)] and 
l:{C[h:T.P] +p C[h:T.Q]) ^^^st C[l:{P +p Q)] 

The proof is given in the appendix. 

There are two crucial points in the above Theorem. The first is that the 
labels of the context are copied, thus the scheduler cannot distinguish between 
C\li :t.P] and C[li :t.Q] based on the labels of the context. The second is that 
P, Q are protected by a r action labeled by the same label li. This is to ensure 
that in the case of a nondeterministic sum (C = i? + [] ) the scheduler cannot 
find out whether the second operand of the choice is P or Q unless it commits to 



P ^may Q € E Tcstp^Q ^Sp £ Syn{{,y)iP 
pUP,Sp,0)<pUQ,Sq,0) 

P Qmust Q iff yO e Testp^Q ySq € Syn{{v){Q 
pUP,Sp,0)<pUQ,Sq,0) 
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selecting the second operand. For example let R — li: {I2 la+o.sO), P = l3:a,Q = 
0. Then Ri = (i? + a) +0.1 (-R + 0) is not testing equivalent to R2 =-R+(a+o.iO) 
since they can be separated hy O — a.oj and a scheduler that resolves i? + a to 
a and i? + to R. However, if we take R'^ = {R + l:T.a) +0.1 {R + 1:t.O) then R[ 
is testing equivalent to R2 since the scheduler will have to resolve both branches 
of R'l in the same way (even though we still have non-determinism). 

The problem with replication is simply the persistence of the processes. It is 
clear that IP+plQ cannot be equivalent in any way to 1{P +p Q) since the first 
replicates only one of P, Q while the second replicates both. However Theorem 
[1] together with Proposition [6] imply that 

C'[l : {C[h:T.P] +p C[h:T.Q])] «„,ay C'[C[l : (P +p Q)]] (6) 

where C is a context without bang and C is a context without +. The same is 
also true for ~must- This means that we can lift the sum towards the root of 
the context until we reach a bang. Intuitively we cannot move the sum outside 
the bang since each replicated copy must perform a different probabilistic choice 
with a possibly different outcome. 

Theorem [T] shows that the probabilistic choice is indeed private to the process 
and invisible to the scheduler. The process can perform it at any time, even in 
the very beginning of the execution, without making any difference to an outside 
observer. 

6 An application to security 

In this section we discuss an application of our framework to anonymity. In 
particular, we show how to specify the Dining Cryptographers protocol [5T] so 
that it is robust to scheduler-based attacks. We first propose a method to encode 
secret value passing, which will turn out to be useful for the specification: 

l:c{x).P ^Y.^l■■CV^.P["^/^] (7) 

l:c{v).P ^l:cv.P (8) 

This is the usual encoding of value passing in CSS except that we use the same 
label in all the branches of the nondeterministic sum. To ensure that the re- 
sulting labeling will be deterministic we should restrict the channels cvi and 
make sure that there will be at most one output on c. We will write {uc)P for 
{vcvi) . . . {vcVn)P- For example, the labeling of the following process is deter- 
ministic: 

{vc){li:c{x).P I l:{l2:c{vi) +p l2:c{'"2))) 

This case is a combination of the cases ([2]) and (|4]) of Proposition [S] The two 
outputs on c are on different branches of the probabilistic sum, so during an 
execution at most one of them will be available. Thus there is no ambiguity in 
scheduling the sum produced by c(x). The scheduler a{l).a{li, I2) will perform a 
synchronization on cvi or cw2, whatever is available after the probabilistic choice. 
In other words, using the labels we manage to hide the information about which 
value was transmitted to P. 
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Master = li:Y^'^^QPi{mo{i==0) \ mi{j==l) | m2{i==2)) 
h h h 

Crypti = mi{pay) . Ci^i{coini) . Ci,i®i(com2) . outi{pay ® coini (g) coin2) 



Coiui = lg,i:{{ci,i{0) I Ciei,i{0)) +0.5 (ci,i(l) | CiQi,i(l))) 

ho,i hl.i hQ,i hl.i 

Prot = {vm){Master \ (;^c)(njLo Crypto \ HLo Coiui)) 



Fig. 6. Encoding of the dining cryptographers with probabihstic master 



6.1 Dining cryptographers with probabilistic master 

The problem of the Dining Cryptographers is the following: Three cryptogra- 
phers are dining together. At the end of the dinner, the bill has to be paid by 
either one of them or by another agent called the master. The master decides 
who will pay and then informs each of them separately whether he has to pay or 
not. The cryptographers would like to find out whether the payer is the master 
or one of them. However, in the latter case, they also wish to keep the payer 
anonymous. 

The Dining Cryptographers Protocol (DCP) solves the above problem as 
follows: each cryptographer tosses a fair coin which is visible to himself and his 
neighbor to the right. Each cryptographer checks the two adjacent coins and, if 
he is not paying, announces agree if they are the same and disagree otherwise. 
However, the paying cryptographer will say the opposite. It can be proved that 
if the number of disagrees is even, then the master is paying; otherwise, one of 
the cryptographers is paying [3T]. 

An external observer O is supposed to see only the three announcements 
outi{. . .). As discussed in [22, DCP satisfies anonymity if we abstract from their 
order. If their order is observable, on the contrary, then a scheduler can reveal the 
identity of the payer to O simply by forcing the payer to make his announcement 
first. Of course, this is possible only if the scheduler is unrestricted and can choose 
its strategy depending on the decision of the master (or on the results of the 
coins). 

In our framework we can solve the problem by giving a specification of the 
DCP in which the choices of the master and of the coins are made invisible to the 
scheduler. The specification is shown in Figure [6l We use some meta-syntax for 
brevity: The symbols © and Q represent the addition and subtraction modulo 
3, while ® represents the addition modulo 2 (xor). The notation i==n stands 
for 1 if i = n and otherwise. 

There are many sources of nondeterminism: the order of communication be- 
tween the master and the cryptographers, the order of reception of the coins. 
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P ::=...! 1:{P} 
CP :■- P\\S,T 



INDEP 



p II r-^/x 



1:{P} ||a(O.S,T^^' 
where ^l'{P' \\ S,T') = n{P' \\ T') 



Fig. 7. Adding an "independent" scheduler to the calculus 



and the order of the announcements. The crucial points of our specification, 
which make the nondeterministic choices independent from the probabilistic 
ones, are: (a) all communications internal to the protocol (master-cryptographers 
and cryptographers-coins) are done by secret value passing, and (b) in each 
probabilistic choice the different branches have the same labels. For example, all 
branches of the master contain an output on toq, always labeled by l2^ but with 
different values each time. 

Thanks to the above independence, the specification satisfy strong probabilis- 
tic anonymity. There are various equivalent definitions of this property, we follow 
here the version presented in [22j . Let o represent an observable (the sequence of 
announcements), and ^5(0 | frii{l)) represent the conditional probability, under 
the scheduler S, that the protocol produces o given that the master has selected 
Cryptographer i as the payer. 

Proposition 7 (Strong probabilistic anonymity). The protocol in Figure 
satisfies the following property: for all schedulers S and all observables o, 
Ps{o I mo(l)) =ps(o I TOi(l)) ^ps{o I m2(l)) 

Note that different schedulers will produce different traces (we still have nonde- 
terminism) but they will not depend on the choice of the master. 

Some previous treatment of the DCP, including [22] , had solved the problem 
of the leak of information due to too-powerful schedulers by simply considering as 
observable sets of announcements instead than sequences. Thus one could think 
that using a true concurrent semantics, for instance event structures, would solve 
the problem. We would like to remark that this is false: true concurrency would 
weaken the scheduler enough in the case of the DCP, but not in general. For 
instance, it would not help in the anonymity example in the introduction. 

6.2 Dining cryptographers with nondeterministic master 

We sketch here a method to hide also certain nondeterministic choices from the 
scheduler, and we show an application to the variant of the Dining Cryptogra- 
phers with nondeterministic master. 

First we need to extend the calculus with the concept of a second independent 
scheduler T that we assume to solve the nondeterministic choices that we want 
to make transparent to the main scheduler S. The new syntax and semantics 
are shown in Figure [T] I : {P} represents a process where the scheduling of P is 
protected from the main scheduler S. The scheduler S can "ask" T to schedule P 
by selecting the label I. Then T resolves the nondeterminism of P as expressed 
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by the INDEP rule. Note that we need to adjust also the other rules of the 
semantics to take T into account, but this change is straightforward. We assume 
that T does not collaborate with S so we do not need to worry about the labels 



To model the dining cryptographers with nondeterministic master we replace 
the Master process in Figure [H] by the following one. 



Essentially we have replaced the probabilistic choice by a protected nondeter- 
ministic one. Note that the labels of the operands are different but this is not a 
problem since this choice will be scheduled by T. Note also that after the choice 
we still have the same labels ^4: however the labeling is still deterministic, 
similarly to the case [3] of Proposition [S] 

In case of a nondeterministic selection of the culprit, and a probabilistic 
anonymity protocol, the notion of strong probabilistic anonymity has not been 
established yet, although some possible definitions have been discussed in [22]. 
Our framework makes it possible to give a natural and precise definition. 

Definition 3 (Strong probabilistic anonymity for nondeterministic se- 
lection of the culprit). A protocol with nondeterministic selection of the cul- 
prit satisfies strong probabilistic anonymity iff for all observables o, schedulers 
S, and independent schedulers Ti,T2 which select different culprits, we have: 
Ps,tAo) =PS.T2{o). 

We can prove the above property for our protocol: 

Proposition 8. The DCP with nondeterministic selection of the culprit speci- 
fied in this section satisfies strong probabilistic anonymity. 

7 Conclusion and Future work 

We have proposed a process-calculus approach to the problem of limiting the 
power of the scheduler so that it does not reveal the outcome of hidden random 
choices, and we have shown its applications to the specification of information- 
hiding protocols. We have also discussed a feature, namely the distributivity 
of certain contexts over random choices, that makes our calculus appealing for 
verification. Finally, we have considered the probabilistic testing preorders and 
shown that they are precongruences in our calculus. 

Our plans for future work are in two directions: (a) we would like to inves- 
tigate the possibility of giving a game-theoretic characterization of our notion 
of scheduler, and (b) we would like to incorporate our ideas in some existing 
probabilistic model checker, for instance PRISM. 

Acknowledgments. We would like to thank Vincent Danos for having pointed 
out to us an attack to the Dining Cryptographers protocol based on the order 
of the scheduler, which has inspired this work. 



in P. 



Master ^ li:{J2^^^Qli2.i:T.{mo{i==0) \ mi(i==l) | m2{i==2))} 
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A Proofs 

In this appendix we give the proof of the main technical result of our paper. 

Theorem [1] Let P, Q be CCSo- processes and C a context with a fresh labeling 
and without occurrences of bang. Then 

l:{C[h:T.P]+j,C[W.T.Q]) «„ay C[l:{P+pQ)] and 
l:{C[h:T.P] +j,C[W.T.Q]) ^^^^t C[l:{P +p Q)] 

Proof. 

Since we will always use the label I for all probabilistic sum -|-p, and Zq for t.P 
and r.Q, we will omit these labels to make the proof more readable. We will also 
denote (1 — p) by p. 

Let i?i = C[t.P] +p C[t.Q] and i?2 = C[P +p Q]. We wiU prove that for 
all tests O and for all schedulers £ Syn{{v){Ri \ O)) there exists 52 G 
Syn{{v){R2 \ O)) such that Pi^{Rx,Si,0) — Puj{R2, S2,0) and vice versa. This 
impHes both i?i «may R2 and i?i Wmust ^2- 

Without loss of generality we assume that tests do not perform internal 
actions, but only synchronizations with the tested process. First, it is easy to 
see that 

Pu.{P +p Q, <J{1).S, 0)^p p^{P, S,0)+p p^iQ, S, O) (9) 
p^{h:a.P,a{hM)-S.O)^p^{P,S,0') (10) 

where {v){h:a.P \ O) \\ a{liM)-S ^ 5{{v){P \ O' \\ S)). 

In order for the scheduler of Ri to be non-blocking, it has to be of the form 
a{l).Sx, since the only possible transition of i?i is the probabilistic choice labeled 
by I. By ([9]) we have 

Pu,{C[t.P] -f C[r.Q], a(/).5i, O) = p Pu,{C[r.P], Si, O) + p pUC[t.Q], Si,0) 
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The proof will be by induction on the structure of C. Let O range over tests 
with fresh labelings, let range over nonblocking schedulers for both C[t.P] 
and C[t.Q] (such that (j{l).Si is a nonblocking scheduler for Ri) and let 5*2 range 
over nonblocking schedulers for i?2- The induction hypothesis is: 

^) VO VS*! 35*2 : 

p p^{C[t.P],Si,0) +Pp^{C[t.Q].,SuO) = p^{C[P +p Q], ^2, O) and 

VO vs'2 as*! : 

p p^{C[t.P],Si,0) +pp^{C[t.QISi,0) = p^{C[P +p QIS2.. O) 
We have the following cases for C: 

- Case C = []. Trivial. 

- Case C ^h-.a.C 

The scheduler Si of C[t.P] and C[t.Q] has to be of the form = (j{li,l2)-S'i 
where I2 is the label of a a prefix in O (if no such prefix exists then the case 
is trivial). 

A scheduler of the form (j{li,l2)-S can schedule any process of the form 
li'.a.X (with label li) giving the transition: 

{y){h:a.X \ O) \\ a{hM)-S ^ 5{{v){X \ O') \\ S) 

and producing always the same O' . The probability p^j for these processes 
will be given by equation (fTO|) . 
Thus for (=>) we have 

p p^{h:a.C[T.Pla{hM)-S[,0) + p p^{h:a.C[T.Qla{hM)-S[,0) 



= p pAC'[t.P], S[,0') + p p^{C'[T.QiS[,0') m 

= P^{C'[P+pQlS'2,0') Ind. Hyp. 

= p^{h:a.C'[P +p Q],a{hM)-S'2,0) ^ 

= Puj{R2,S2,0) 



For (<^) we can perform the above derivation in the opposite direction, 
given that a scheduler for R2 = h :a.C'\P +p Q] must be of the form 5*2 = 
a{li,l2)-S'2. 
- Case C = C' \R 

Since we only consider contexts with fresh labelings, i? | O is itself a test, 
and 

p^{X I R, S, O) - p^{X, S,R\0) (11) 
Thus for (=>) we have 

PP^{C'[t.P] I R,Si,0)+pp^{C'[r.Q] \ R,Si,0) 

= pp^ [C [t.PISi,R\0)+p p^ [C [t.Q] ,Si,R\0) ^ 

= p^iC'[P+pQ],S2,R\0) Ind. Hyp. 

= Pu.{C'[P+pQ]\R,S2,0) dm) 

= PcjiR2,S2,0) 
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For (4=) we can perform the above derivation in the opposite direction. 

- Case C ^1 : (C R) 

Since we consider only contexts with fresh labeHngs, the labels of C are 
disjoint from those of R, thus the scheduler of a process of the form li : 
{C'[X] +q R) must be of the form S = a{li).{Sc + Sr) where Sc is a 
scheduler containing labels of C" [X] and Sr a scheduler containing labels of 
R. Moreover 

pUIi-{C'[X] +,R),S,0) 

= q pUC'[X], Sc + Sr, 0) + q p^{R, Sc + Sr, O) 

- q p^C'iX], Sc,0)+q pUR, Sr, O) (12) 

As a consequence, the scheduler Si of C[t.P] and C[t.Q] has to be of the 
form Si = a{li).{Sc + Sr). 
For we have 

PPu^ih: {C [t.P] +gR),Si,0)+ppUh:iC' [t.Q] +, R),Si, O) 
= q{p pUC'[t.P],Sc, O) +ppUC'[t.Q],Sc, 0))+ 

qp^{R,SR,o) m 

= qPu{C'[P+p Q]),S'c,0) + 

q Pu,{R, Sr, O) Ind. Hyp. 

= p^ih : iC'[P +p Q] +, R),a{li).{S'c + Sr), O) m 

= pUR2,S2,o) 

For we can perform the above derivation in the opposite direction, 
given that a scheduler for R2 = h: {C'[P +p Q] +q R) must be of the form 
S2 = ct{Ii).{S'c + Sr). 

- Case C^C' + R 

Consider the process C'[Io:t.P] + R. The scheduler S'l of this process has to 
choose between C'[Io:t.P] and R. 

There are two cases to have a transition using the SUMl, SUM2 rules. 

i) Either {i'){C'[Io:t.P]+R \ O) || Sr ^ such that {iy){R [ O) || Sr 
fj,. In this case 

p^iC'[lo:T.P] + R, Sr, O) = pUR, Sr, O) (13) 

ii) Or (iy){C'[lo:T.P] + R [ O) \[ Sc ^ ^i such that {iy){C'[lQ -.t.P] \ O) || 
Sc A*- In this case 

p^ {C [lo : T.P] + R, Sc,0)^ p^ {C [lo ■.T.P],Sc, O) (14) 

Now consider the process C'[Iq:t.Q] + R. Since P and Q are behind the li :t 
action, this process has exactly the same visible labels as C'[Iq : t.P] + R. 
Thus Sr and Sc will select R and C'[Io:t.Q] respectively and the equations 
([T^ and nil) will hold. 
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In the case (i) {S — Sr) we have: 

p [C [t.P] + R,Sr,0)+p p^ {C [t.Q] + R),Sr,0) 

= ppUR,Sr,o)+ppUR,Sr,o) m 

= Puj{R,Sr,0) 

= pUC'[P +p Q]+R,Sr,0) 

= Pw(i?2, S2,0) 

In the case (ii) (5 — Sc) we have: 

p pUC'[t.P] + R, Sc, O) +pp^iC'[T.Q] + R), Sc, O) 
= p pUC'[r.P],Sc, 0)+p pUC'[t.Q],Sc, O) (O 
= pUC'[P +p Q],S'c, O) Ind. Hyp. 

= pUC'[P +p Q]+R,S'c,0) 

^ Plo{R2,S2,0) 

For we can perform the above derivation in the opposite direction. 
Case C = {va)C' 

The process [v){{i'a)C'[X] \ O) has the same transitions as {v){C'[X] \ {va 
The result follows by the induction hypothesis. 
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